I have been posting up here recently regarding project ideas for my final year. I have gone from one thing to another and not found anything I think I can do. At the moment I've started looking at file carving. For my project I need to do a good chunk of research on a topic. I do that first, then I need to develop my own piece of software related to that research.
I am finding the file carving stuff interesting, but I need some advice,
I would like to develop a program that could work with some type of popular evidence file like aff, or raw dd. I could image a pen dive say in ntfs, and use this image in my program to extract a file that has previously been deleted. I could do this based on finding the known file header and end of file marker. So essentially using the program to carve out the data.
I believe this is very possible and probably tricky enough
http//
I am competent in java, but am struggling to find out how I might do this,If I could get all the data to a binary filein java, I could probably start from there. I now a bit of c# and vb.net
I wonder does anyone have any experience of this, programming or otherwise, that might point me in the right direction?
thanks
I have never used Java, but data carving is fairly straight forward at a basic level.
For caring (of a DD file) you need to seek the image file to a cluster start (you will need to determine cluster size , normally 8 for NTFS, and first sector of a cluster, can be quite varied). The start then needs to be compared with your table (or similar) of file starts. FAT, Unix. HFS+ etc are all different
My approach in carving is not to look for file ends, but continue to the start of the next file. You need to be as careful as possible that you do not hit false positives.
My second stage, is to take the extracted file and verify it. This can include making sure that a .DOCX files is called .DOCX and not .ZIP, even though they have the same basic signature and structure.
All along in programing, forget decimal, and think in Hex. 99% of the time, it will make more sense.
Final part of data carving, very rarely done, is to handle fragmented files. To do this stage you need to the know 110% of the file structure!
Hi,
If we consider an example of image_carve.raw with command line hexdump tool,xxd -
I guess we we need to follow the following steps -
1) Find the start of the JPEG (xxd and grep)
2) Find the end of the JPEG (xxd and grep)
3) Calculate the size of the JPEG (in bytes using bc)
4) Cut from the start to the end and output to a file (using dd)
So considering the above mentioned example, coding must be done in this perspective only. Give it a try and go for Java as it is the language that may prove to be the most convenient one.
Thanks and regards